Medicare data breach prompts law change
The Federal Government has moved to tighten privacy laws after doctor provider numbers were disclosed in a breach of security around Medicare and Pharmaceutical Benefit Scheme data.
Attorney-General George Brandis has announced plans to amend the Privacy Act to make it a criminal offence to re-identify de-identified Government data following a discovery that encrypted MBS and PBS data published by the Health Department had been compromised.
The Department was alerted on 12 September to the worrying security lapse by Melbourne University Department of Computing and Information researchers Dr Chris Culnane, Dr Benjamin Rubinstein and Dr Vanessa Teague, who found they were able to decrypt some service provider ID numbers in the publicly available Medicare 10 per cent dataset. They immediately alerted the Department.
In a statement, the Department said no patient information had been compromised in the incident.
“The dataset does not include names and addresses of service providers, and no patient information was identified,” the Department said. “However, as a result of the potential to extract some doctor and other service provider ID numbers, the Department of Health immediately removed the dataset from the website to ensure the security and integrity of the data is maintained.”
But Shadow Health Minster Catherine King questioned why it had taken the Government 17 days to reveal the security breach, and voiced concerns that there may have been 1500 downloads of the dataset before it was withdrawn by the Department.
“The Government’s 17 day delay in admitting to a breach of health data under their watch is unacceptable,” Ms King said.
Notice of the breach came as a Senate inquiry heard concerns about data security surrounding the decision to award Telstra Health $220 million contract to design and operate the National Cancer Screening Registry, and follows the collapse of Australian Bureau of Statistics systems on census night.
The AMA said that although the data security breach was concerning, it should not result in governments withholding data from being available for research and policy development.
The Association said that although it was paramount that personal information be properly secured and protected, it was important that de-identified and encrypted data be made available by Government to help inform research and the analysis of health information.
Senator Brandis reassured that the Government remained committed to making valuable data publicly available.
“The publication of major datasets is an important part of twenty-first century government providing a great benefit to the community,” the Attorney-General said. “It enables…policymakers, researchers and other interested persons to take full advantage of the opportunities that new technology creates to improve research and policy outcomes.”
But Senator Brandis said that advances in technology had meant that methods used in the past to de-identify data “may become susceptible to re-identification in the future”.
Under his proposed changes to the Privacy Act, it would be a criminal offence to re-identify de-identified Government data, encourage someone else to do it, or to publish or communicate such data.
The Health Department said it was conducting a “full, independent audit” of the process followed in compiling, reviewing and publishing the data, and promised that “this dataset will only be restored when concerns about its potential vulnerabilities are resolved”.
The Office of the Australian Information Commission is undertaking a separate investigation.